Scribd
Upload
27 views10 pages

Cyber Presentation

Uploaded by

komalzaeem03
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
27 views10 pages

Cyber Presentation

Uploaded by

komalzaeem03
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10

University Of Sahiwal

Department Of Information Technology

Presentation Title : SQL Injection


Presented To : Mam Tabinda Ali
Subject : Cyber Security

Presented By

Komal Zaeem (BSIT-M1-20-32)


Ayesha Mubeen (BSIT-M1-20-02)
Amina Irshad (BSIT-M1-20-51)
SQL INJECTION
• SQL Injection is a code-based vulnerability that allows an attacker to read
and access sensitive data from the database.

• Attackers can bypass security measures of applications and use SQL


queries to modify, add, update, or delete records in a database.

• A successful SQL injection attack can badly affect websites or web


applications using relational databases such as MySQL, Oracle, or SQL
Server.
Impacts
How SQL Injection Attacks ? Example

When you enter an anonymous


username and password, that won’t
allow you to log in.

Let’s write an SQL statement in the


username and try to login again.

• My Username will be: ‘ or 1=1 --


• Click on Login
• You will log in this will time with a
status update saying it has
authenticated the user
Example explained ...

• The single quote (‘) is an operator that goes to the


database server, selects the default user tables, and
compares it to the condition that is given. That condition
that you gave was 1=1, which is always true. So, it
selected the default user table that was available in the
database, and instead of comparing it to a password, it
compared it to the condition.
Types of SQL Injection
In-band SQLi -
The attackers use the same communication channel to launch their attacks and
collect results.

• Error-based SQL injection - Here, • Union-based SQL injection -


the attacker performs certain Here, the UNION SQL operator is
actions that cause the database to used in combining the results of two
generate error messages. Using or more select statements
the error message, you can identify generated by the database, to get a
what database it utilizes, the single HTTP response. You can
version of the server where the craft your queries within the URL or
handlers are located, etc combine multiple statements within
the input fields and try to generate
a response.
Blind SQLi -
Here, it does not transfer the data via the web application. The attacker can not
see the result of an attack in-band.

• Boolean-based SQL Injection - • Time-based SQL Injection - In this


Here, the attacker will send an SQL attack, the attacker sends an SQL
query to the database asking the query to the database, which
application to return a different makes the database wait for a
result depending on whether the particular amount of time before
query returns True or False. sharing the result. The response
time helps the attacker to decide
whether a query is True or False.
Out-of-bound SQL Injection -

• Out-of-bound is not so popular, as it depends on the


features that are enabled on the database server
being used by the web applications. It can be like a
misconfiguration error by the database administrator.
How to Prevent SQL injection?

Some of the other methods used to prevent SQL Injection are:

• Password hashing
• Third-party authentication
• Web application firewall
• Purchase better software
• Always update and use patches
• Continuously monitor SQL statements and database

You might also like